UOOU - Décision n° UOOU-01025/20-94 du 14 mars 2023 concernant la société AVAST SOFTWARE
THE OFFICE FOR PERSONAL DATA PROTECTION
Pplk. Sochora 27, 170 00 Prague 7, CZ
Phone: 234 665 111, fax: 234 665 444
The Office for Personal Data Protection (hereinafter “the administrative authority” or “the Office”), as the competent administrative authority pursuant to Section 64(1) of the Act No. 110/2019 Coll., on personal data processing (hereinafter “the Act No. 110/2019 Coll.), and pursuant to Articles 58(2)(i) and 60(7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) effective from 25 May 2018 (hereinafter “the Regulation (EU) 2016/679”), in offence proceedings conducted pursuant to Act No. 250/2016 Coll. on liability for and proceedings relating to offences, as amended (hereinafter “the Act No. 250/2016” Coll.), and the Act No. 500/2004 Coll., the Code of Administrative Procedure, as amended, decided as follows:
The company Avast Software s.r.o., registered office at Pikrtova 1737/1a, 140 00 Prague 4 — Nusle, Czech Republic, company registration number (IČO): 02176475 (hereinafter referred to as “the charged company”),
I. is guilty, as the controller pursuant to Article 4(7) of the Regulation (EU) 2016/679, of the offence consisting in transferring personal data of the AVAST antivirus program users and its browser extension users to the company Jumpshot, INC., registered office at 19801 Wilmington, County of New Castle, Delaware, 1209 Orange Street, United States of America (hereinafter “Jumpshot”), in order to produce a statistical analysis of trends, even though that processing was not supported by any legal ground within the meaning of Article 6(1) of the Regulation (EU) 2016/679, whereas this activity lasted at least over the period from an undetected day of April 2019 to an undetected day of July 2019, i.e. for at least two calendar months,
and thereby breaching the fundamental principle of personal data processing pursuant to Article 6(1) of the Regulation (EU) 2016/679, that is to say, the principle following which processing of personal data is lawful only if at least one of the conditions set out in that provision is met,
and thereby committed an offence pursuant to Section 62(1)(b) of the Act No. 110/2019 Coll.;
II. is guilty that in relation to the transfer of personal data to the company Jumpshot, as the controller of personal data pursuant to Article 4(7) of the Regulation (EU) 2016/679, failed at the time of obtaining the personal data to sufficiently inform the data subjects (users of the AVAST antivirus program and its browser extension) about the purposes of the processing for which the user data were intended and about the legal basis for the processing, at least over the period from an undetected date of April 2019 to an undetected day of July 2019, i.e. for at least the whole two calendar months;
and thereby breaching the obligation under Article 13(1)(c) of the Regulation (EU) 2016/679, that is to say, the obligation to provide the data subject, at the time where personal data are obtained, with the information specified in that provision,
and thereby committed an offence pursuant to Section 62(1)(c) of the Act No. 110/2019 Coll.;
III. for which it is required, in accordance with Article 83(5) of the Regulation (EU) 2016/679 a fine in the amount of CZK 351,000,000 (three hundred and fifty one million Czech crowns; ca. EUR 13,657,587)
IV. and furthermore, pursuant to Section 95(1) of the Act No 250/2016 Coll., the obligation to pay the proceedings costs in the amount of CZK 1,000 (ca. EUR 39),
V. both due within 30 days of the date on which this decision becomes effective by means of a non-cash transfer to the Office’s account kept at the ČNB, no. 19-5825001/0710, variable symbol being the charged company’s ID number, constant symbol 1148.
I. Applicable legal framework
II. Case delimitation
The procedure concerning a suspected offence pursuant to Section 62(1)(b) and (c) of the Act No. 110/2019 Coll., consisting in the transfer of data of users of the AVAST antivirus program and its browser extension (hereinafter also only “the AVAST antivirus program”), in particular of data about the behaviour of these users when using a personal computer and the internet, to a new controller (in the sense of further controller) pursuant to Article 4(7) of the Regulation (EU) 2016/679 without a legal ground and in breach of the information obligation pursuant to Article 13(1) of the Regulation (EU) 2016/679, was initiated by the Office’s notice delivered to the charged company on 27 February 2020.
III. Supporting documents
The basis for initiating the proceedings was the file collected by the Office upon a complaint received by the Office on 22 February 2020 and also the facts established in the context of the inspection filed under the reference UOOU-07166/18 and performed by the Office’s inspector, Ms Jiřina Rippelová, at the charged company premises from 2 July 2018 to 19 March 2019, including the settlement of objections by the President of the Office under the reference UOOU-07166/18-53 of 4 June 2019 and further the file ref. UOOU-01733/19, in the context of which the adoption of remedial measures by the charged company was handled beyond the administrative procedure.
IV. Position of the charged company on the procedural conditions of the proceedings
In response to the initiation notice, the charged company sent its position on the matter on 14 April 2020. The company declared that it disagrees with the charges and rejects them as legally unfounded and lacking evidence, while suggesting that the Office order an oral hearing to properly establish the essence of the issue. Simultaneously, the charged company expressed that following its opinion, the subject matter of the offence proceedings completely overlaps the substance of the inspection lead by the Office’s inspector, Ms Jiřina Rippelová, under the reference number UOOU-07166/18, focused on compliance with the obligations set forth by the Regulation (EU) 2016/679, regarding the processing of personal data of AVAST antivirus program users, whereby on 12 June 2019 a notice was sent as a follow up to this inspection, even before the beginning of the administrative proceedings, reference number UOOU-01733/19-5, demanding the company to inform the Office of the company’s acceptance of the inspection’s conclusions requiring the adoption of measures to remedy the identified shortcomings. The notice also stated that through the voluntary remedy of the shortcomings the company could have prevented the proceedings in the matter of authoritative imposition of corrective measures to eliminate the detected shortcomings.
On the basis of the inspector’s notice, the charged company presented four declarations together with proposals pertaining to personal data protection, and subsequently additional declaration upon the Office’s request for cooperation of 26 February 2020, reference number UOOU-01733/19-18. The company is of the opinion that the Office, by its steps taken since June 2019, when required by the inspector to eliminate the shortcomings and to adopt remedial measures including subsequent requests for cooperation, evoked legitimate expectations that if the company voluntarily adopts the remedial measures accepted by the Office as sufficient, the case will be discontinued in compliance with Article 65 of the Act No. 110/2019 Coll., avoiding the need for the onset of proceedings.
Moreover, the charged company objected to the obstacle of a pending trial, when in its opinion, ref. UOOU-01733/19 itself is classified as “administrative proceedings”, and the subject matter of these “proceedings” already encompasses the subject of the administrative proceedings.
Later, the charged company added to this reasoning in its proposal to complement the evidence-gathering of 9 October 2020 that with regard to the official record on suspension of a proceedings on imposition of measures aiming at removal of the detected shortcomings (ref. UOOU-01733/19-31 of 18 September 2020), as the Office’s inspector, after her investigation and with respect to the measures taken meanwhile by the company, did not considered reasonable to commence a proceeding on imposition of remedial measures, there is – with regard to the legitimate expectation principle – a legal ground to stop the offence proceedings, or as the case may be, not to impose any sanction.
Similarly, the charged company argued, in its submission of 31 May 2021, ref. UOOU-01025/20-72 titled as the final statement (hereinafter “the final statement’) and in the submission titled “the supplementary statement” of 23 February 2022, ref. UOOU-01025/20-93 (hereinafter “the supplementary statement”), that “it is undisputed that a res judicata obstacle arose, since the Office concluded, once and for all in the context of its inspection, ref. UOOU-07166/18, and the subsequent notice before the launch of the administrative proceedings, ref. UOOU-01733/19, that the principles of the application of consent submitted to the Office together with the balance tests and other documents related to the processing of personal data for the purpose of third-party analysis are in accordance with the GDPR, and the Office, aware of all the circumstances surrounding the processing, including all the relevant facts that appeared from July to December 2019, which are now the subject of the offence proceedings, decided not to initiate further administrative proceedings in this case, as a result of which, in the present case, a lis pendens (res judicata) was constituted.” Furthermore, the charged company added in its final statement as well as in the supplementary statement that “Given the state of play where the key legal issue has already been decided by the Office in another type of proceedings, the offence procedure is devoid of purpose, since it cannot end with a legal conclusion other than that Avast did not infringe its legal obligations under the GDPR, as noted by the Office following a notice prior to the launch of administrative proceedings, ref. UOOU-01733/19 and, consequently, could not commit the alleged offence. If Avast had committed an offence, the Office would have had to deal with it in the context of the administrative proceedings following the performed inspection ref. UOOU-07166/18, which was not the case. The decision as to whether, after completion of the inspection, to initiate the administrative proceedings in respect of any potentially discovered shortcomings, including the facts which are the subject of the offence procedure and were already known to the Office in the course of the inspection, had already been taken by the Office in the context of the procedure following the notice before the launch of administrative proceedings, ref. UOOU-01733/19, when it decided not to initiate any further administrative proceedings in respect of those findings and related facts, including all the relevant facts occurred in the period of July to December 2019, which are now the subject of the offence proceedings, and thereby creating an obstacle to the case (res judicata) for any other administrative proceedings in that case, including offence proceedings. The Office is therefore now obliged to act against Avast in accordance with the principle of predictability (legitimate expectations), the principle of res judicata, and thus to discontinue the offence proceedings.”
Generally, the administrative authority states that the performance of an inspection according to the Act No. 255/2012 Coll., on inspection (Inspection Code) as amended, and an administrative offence proceedings are two completely independent procedures pursuing different aims. The aim of an inspection is to find the real state of the matter, i.e. the real compliance with the law. Based on the inspection findings it is then possible to impose measures correcting the identified shortcomings in order to correct or remove the found unlawful conditions (while failure to take these measures may be considered to be an administrative delict per se). The process of inspection and the remedial measures pertaining to it cannot, however, be interchanged nor associated with the enforcement of the acceptance of responsibility for an offence, as the objective of these measures is not to punish, but to verify or possibly ensure compliance of the inspected persons with the law.
Conversely, the aim of the administrative punishment is to impose an administrative penalty for an offence and thereby penalize the offender and discourage him from further breach of legal obligations.
It is evident from the above stated that it is possible to concurrently impose remedial measures in the administrative proceedings for breach of responsibility found during the inspection, and to impose a fine for such breach of obligations in a (standalone) proceeding on offence, if such breach reveals the signs of the state of the matter. So, it is not a matter of breach of the principle ne bis in idem (not twice against the same thing), as the remedial measures and administrative penalty for an offence follow two different objectives and therefore, but it is a situation of two completely separate proceedings the subject matters of which do not overlap.
Concurrently, the administrative authority rejects the argument by the charged company suggesting that the subject of the Office’s inspection, filed under the ref. UOOU-07166/18, overlaps with the subjects of these administrative proceedings, as it is apparent from the inspection report of 19 March 2019, ref. UOOU-07166/18-46, that the subject matter of the inspection was the compliance with the obligations set out in the Regulation (EU) 2016/679 in relation to the processing of personal data of customers of the charged company with focus on the level of protection of customers’ privacy with users of the free antivirus software version in comparison with the paying customers. Whilst the purpose of this inspection was not to precisely describe the technical side and function of the antivirus software, but rather to define the nature of the data processed in connection with installation and usage. What was investigated was the adherence of the controller to the obligation to prove compliance of its procedures with the basic principles of personal data processing in the sense of Article 5(2) of the Regulation (EU) 2016/679 and the fulfilment of the controller’s obligation to adopt suitable technical and organizational measures in order to guarantee and be able to prove that the processing is performed in the sense of Article 24(1) of the Regulation (EU) 2016/679 accordingly to this regulation. The primary focus of the inspection was not on the fulfilment as such of the fundamental processing principles listed in Article 5(1) of the Regulation (EU) 2016/679, nor on other duties ensuing from this regulation. Conversely, with respect to the inspection results, it was not purposeful anymore to assess compliance with other particular obligations which the charged company has as a controller of personal data of the antivirus program users. This conclusion was shared even by the President of the Office within the settlement of the objections against the inspection findings, ref. UOOU-07166/18-53, of 4 June 2019, when she accepted that the inspection hadn’t dealt primarily with the fulfilment of the basic personal data processing principles set out in Article (5)(1) of the Regulation (EU) 2016/679. The inspection finding No. 3 stated only a breach of Article 24(1) of the Regulation (EU) 2016/679, meaning the breach of the controller’s obligation to introduce appropriate technical and organizational measures in order to be able to prove that the processing is performed in compliance with this regulation.
This fact alone shows that by sending a notice of 12 June 2019, ref. UOOU-01733/19-5, prior to the launch of the administrative proceedings, the Office could not have created legitimate anticipations in this particular case suggesting that if the company voluntarily adopts the remedial measures and this being accepted as sufficient, it can then prevent different administrative proceedings in the matter of imposing a sanction for the offence committed. Conversely, the explicit formulation of the given notice reveals unambiguously that a voluntary remedy of the identified shortcomings can prevent the administrative proceedings in the matter of imposing remedial measures, i.e. as a follow up to the performed inspection and the discovered breach of Article 24(1) of the Regulation (EU) 2016/679. The administrative authority cannot therefore agree with the charged company’s opinion that performing administrative offence proceedings would be in contradiction with the predictability principle. Moreover, the concept of “legitimate expectation” perceived as such is conceptually beyond the classical definition in the sense of protection of expectations as to a certain administrative authority’s procedure, which, through its previous unequivocal authoritative acts, has in the party to the public authority awaken or confirmed and according to which the party has subsequently acted, or, respectively, adapted to it, the actions. At the same time, the legally relevant action of the administrative authority (typically a consistent decision-making practice on a particular issue) must be followed by a conscious adaptation to that practice by the party to the public authority. Only a subsequent sanction for the practice which the administrative authority has established or applied in the long term in such a way could be perceived as surprising.
As regards the charged company’s view that “a key legal item has already been decided by the Office in another type of proceedings”, the Office states that the letter of formal notice dated 12 June 2019, ref. UOOU-01733/19-5 cannot, in any event, be regarded as having the force of res judicata, or, respectively, it cannot be regarded as a decision within the meaning of Section 67(1) of the Code of Administrative Procedure at all. The notice in question did not create, alter or revoke the rights or obligations of a certain person, nor did it declare that a person has or does not have such rights or obligations as defined in Section 67(1) of the Code of Administrative Procedure. As regards the alleged rei iudicate obstacle, the Office further states that, within the meaning of Section 77(2) of the Act No. 250/2016 Coll., such a decision, which constitutes an obstacle to the proceedings, is expressly “a decision stating that the act has not occurred, has not been committed by the accused person, has not succeeded in proving that the offence has not been committed or that the act is a criminal offence or an identical offence or is not an offence, the criminal proceedings were suspended, the prosecution was suspended on the basis of the approved settlement, the submission of a request for punishment was suspended or the prosecution of a minor was abandoned.” It is therefore quite clear from the above quotation (unofficial translation – note of the translator) that that notice does not constitute an obstacle to proceedings within the meaning of Section 77(2) of the Act No. 250/2016 Coll.
Moreover, the charged company, in its proposal of 9 October 2020 to deliver supplements to the justification referred to the official records of the Office’s inspector, Ms Jiřina Rippelová, concerning the decision not to launch any proceeding on remedial measures, ref. UOOU-01733/19-31 of 18 September 2020. The charged company stated that it ensued from this official record that it – in its capacity as a controller - secured and was able to demonstrate that the processing of the personal data was conducted in compliance with Article 24(1) of the Regulation (EU) 2016/679, as all appropriate organizational and technical measures had been adopted even before the launch of the proceedings on imposition of remedial measures. Given this, the Office’s inspector, Ms Jiřina Rippelová, did not consider reasonable to commence any administrative proceedings in this matter whereby she stated in her record that the charged company “…..has successively adopted the obligationsimposed to it as the controller by Article 24(1) of the Regulation (EU) 2016/679, has incorporated them into its activities, namely as regarded assessment of the impact into the data subjects’ rights in cases where the legal grounds for any of the processing purposes is the controller’s legal interest, be it the marketing purposes of Avast itself or marketing and analysis by third parties,…..”. The administrative authority can add to this statement that it has not found the charged company’s argument relevant as it did not reflect the part of inspector’s statement that reads “….for the purposes of the antivirus SW development”. It is obvious from this wording that the inspector’s statement included in the mentioned official record does not involves the subject matter of the administrative proceedings run with the charged company.
The charged company in its proposal of 9 October 2020 to deliver supplements to the justification also said that with regard to the voluntarily adopted remedial measures (whereas the discontinuation of the processing for statistical trend analysis purposes was also part of the voluntary measures) and which had been accepted as sufficient, the running proceedings should be discontinued, or as the case may be, the Authority should decide not to impose any sanction. The Authority however, as indicated in detail above, is still of the opinion that an offence proceeding is completely autonomous and not related to any potential post-inspection proceedings concerning imposition of remedial measures so that the procedure chosen by the inspector offering the charged company the possibility to remedy the breach of obligations detected during the inspection voluntarily and thus to prevent launch of an administrative proceeding concerning imposition of remedial measures is meaningless for an administrative body from the viewpoint of the offence proceedings being under way.
V. Procedural method
As the Office did not find any reason to discontinue the offence proceedings as requested by the charged company, the Office ordered, at the charged company’s request, an oral hearing which took place at the Office’s premises on 28 May 2020.
During that hearing, the charged company’s request was accommodated in that the charged company, within one month of the hearing, committed itself to complete and explain in more detail in writing the issues raised during the meeting in order to properly identify all exculpatory and incriminating facts relevant to the proceedings. The company did so by supplementary opinion of 29 June 2020, which, in the view of the administrative authority, had presented sufficient documents necessary for the decision to be taken.
The charged company, in its pronouncement of 17 December 2020 requested yet another hearing. This request was rejected by the Office’s resolution, ref. UOOU-01025/20-43 of 22 January 2021. On 8 February 2021, the charged company appealed this decision, but the appellation was subsequently dismissed by a decision of the President of the Office (ref. UOOU-01025/20-81 of 27 August 2021).
By requests of 11 February 2021 and of 24 March 2021, the charged company asked for access to the file, including “recordings of international cooperation”. By resolution of 23 April 2021 (ref. UOOU-1025/20-61), the Office did not consent to a part of the access request relating to records from the cooperation mechanism pursuant to Article 60 of the Regulation (EU) 2016/679. On 11 May 2021, the charged company lodged an appeal against that order, which was dismissed by a decision of the President of the Office (ref. UOOU-01025/20-82 of 27 August 2021).
The charged company, accordingly to Article 36(3) of the Administrative Code was given, by way of a notification of 29 April 2021, the possibility to take a stance on that matter yet before the issuance of a decision. The charged company made use of its right and accessed the file on 17 May 2021.
On 31 October 2021, by procedure pursuant to Article 60(3) of the Regulation (EU) 2016/679, the Office presented to the competent supervisory authorities the draft decision. There were not any relevant and reasoned objections in sense of Article 60(4), whereby the effects presumed by Article 60(6) of the Regulation (EU) 2016/679 emerged. For sake of completeness, it might be added that the draft decision was presented to the competent authorities for the first time as soon as on 31 August 2020, however, the procedure had not been completed due to the decision of the administrative authority so that the draft did not become binding.
On 3 January 2022, the Office sent to the charged company a refined specification of the legal qualification of the matter in sense of Article 78(4) of the Act No. 250/2016 Coll. Subsequently, the Office received the charged company’s request asking to set a thirty-day period to provide a statement on the altered accusation, to propose evidence and to apply other rights. The Office accommodated this request by its resolution of 18 January 2022.
On 23 February 2022, the charged company sent to the Office a submission titled supplementary statement that, however, did not contain any new facts or statements provided earlier.
VI. Fact findings and evaluation thereof in relation to the Regulation (EU) 2016/679
According to Article 4(7) of the Regulation (EU) 2016/679, the controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In connection with the provision of the AVAST antivirus software, the charged company collects and further processes data on both paying and non-paying users of this product, which must be considered as personal data, as specified below. In defining the procedures for the installation and further use and operation of the antivirus software, the charged company also determined the purpose and means of the processing of personal data.
It is evident from the case material (inspection report of 19 March 2019, ref. UOOU-07166/18-46) that the charged company, within its business activity of installing the AVAST antivirus program and its subsequent exploitation, processes users data which are personal data in the sense of Article 4(1) of the Regulation (EU) 2016/679 (the extent of which is presented below) that is the information relating to identified or identifiable natural persons (hereinafter “the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular (but not exclusively) by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
From the inspection protocol of 19 March 2019, ref. UOOU-07166/18-46, it is evident that “the charged company assigns, by each installation of the antivirus software, an ID to each device on which the antivirus program is installed (downloaded). The Device ID is derived on the basis of the technical parameters of the device (e.g. processor type, graphics cards or motherboard). Furthermore, a randomly generated alphanumeric code is assigned to the installation, a so-called Installation ID. The Installation ID is assigned to every single antivirus software installation. If for example the antivirus software on the same device is uninstalled and reinstalled, each of these installations is done under an identical Device ID, however under different Installation ID. (…) In addition, it is necessary for the antivirus software installation to know the internet protocol address (IP address) of the given device. The IP address may be generally defined as a set of binary numbers assigned to a specific device for the sake of its unequivocal identification during communication in the network.” The charged company “necessarily needs to know the IP address of the given device for the purpose of the antivirus SW installation”. On the basis of this identifier, the company decides on which device the software will be installed (i.e. where the given device is placed) and in which language version. The charged company stores the IP address of a device for a limited time and subsequently pseudonymizes this information through hashing, or replaces it with less specific information about location, for example city and country. This transformation takes place “roughly after one month, or after 60 days respectively (the information provided in the [charged] company’s position differs in this aspect)”. Users of the free version of the antivirus software have an option within the privacy settings to choose, if their device sends a sample of detected malware to the charged company’s virus database, and if the information retrieved from their device may be analysed by third parties with which the charged company cooperates.
For the assessment of whether the charged company processes personal data of the AVAST antivirus software users, it is first necessary to evaluate if the gathered information can be linked with an identified or identifiable natural person. Identifiable is such a natural person whose identity can be directly determined based on the gathered information (i.e. a unique identifier is available, such as for instance a birth registration number or a unique combination of identifiers like name, surname, address). Identifiable is then such a natural person for whom the gathered information alone does not lead to a direct identification, however, on the basis of which (with the exploitation of additional accessible information and means) it is possible to identify the individual. Whereby, an unambiguous identification of a natural person does not only mean a civil identity of this natural person. Namely in the online environment, an unambiguous individualization of a user based on a certain element can in specific cases be enough.
For the assessment of the information’s nature, which the charged company collects and further exploits in connection with the provision of services in the form of AVAST antivirus software, it is essential to emphasize that Article 4 point 1 of the Regulation (EU) 2016/679 clearly states that a natural person is identifiable by for example reference to a network identifier. Even though the IP address as a network identifier is primarily a device’s technical piece of data, it is generally necessary to consider it as personal data and that is namely if it is probable that a given device is in the ownership of a concrete natural person. In the event that a specific IP address by itself does not provide a permanent identification of the device connected to the network, it is necessary, in adherence to Recital 26 of the Regulation (EU) 2016/679, to take into account all the means reasonably likely to be used by the controller or by another person. Consequently, the IP address is personal data for everyone who has the legal and real possibility of assigning the IP address to specific persons or may realistically anticipate that such a possibility exists, regardless of whom the assignment was performed by. It is therefore not decisive, if this ability of identification is direct, which means that the controller performs the data match on his own, based on the information at his disposal or is obtainable, or it is indirect meaning that it is necessary to cooperate among more subjects to identify the person.
As mentioned above, the AVAST antivirus software users were identifiable through the unique Device ID, that was unalterable, for instance during the reinstallation of this software. Natural persons were thus identifiable and all data collected about them could have been assigned to them.
The charged company collected personal data related to the subjects identifiable in such a manner in the scope described, for example, in the balance tests attached to the company’s statement of 5 August 2019, ref. UOOU-01733/19-7, or in the charged company’s statement of 1 August 2018, ref. UOOU-07166/18-12. This scope particularly included the data subject’s search history (i.e. “the history of URL searched from the device”), the Device ID, Installation ID (GUID), and data about the hardware or software of the system on which the antivirus program was installed, or “information about the applications running on the device, information related to the files and annexes stored in that device” (both quotations come from the mentioned charged company’s statement of 1 August 2018). It can be added to the search history issue, for sake of completeness, that it apparently represented an entire history of searches.
The Office sums up in this relation that the charged company was in position of a controller in sense of Article 4(7) of the Regulation (EU) 2016/679 and collected personal data about identifiable physical persons in the sense of this regulation.
As the case material further reveals, the charged company transferred the collected personal data to the company Jumpshot. It primarily ensues from the Data Licence Agreement closed between the charged company and Jumpshot on 30 August 2014.
The relation between the charged company and the company Jumpshot was subsequently settled by a contract called “Data Order Form”, the effectiveness being set by the contract parties for the period of 1 January 2019 to 31 December 2028 (signed by parties on 30 August 2019), and which was annexed to the charged company’s statement of 4 April 2020 and is part of the file now. Then, during the administrative proceedings, the charged company constantly explained this transfer as being carried out for the purpose of a statistical trend analysis.
In the Data Order Form, point 1.7 of the annexed Exhibit B titled “Restated Data License Agreement”, it is explicitly said: “Avast and Jumpshot acknowledge the Data may include personal data, as defined by applicable legislation (“Personal Data”). To the extent Data contains Personal Data, the parties have analyzed the nature of the use under the Agreement and have determined that Jumpshot has discretion to determine its uses of the Data in compliance with this Agreement and thus is a Data Controller.” The way how parties to the agreement shall approach the issue of personal data protection is mentioned in point 3 of Exhibit B “Removal of Direct Identifiers”. Point 3.1 states that: “Avast shall exercise commercially reasonable professional efforts to remove all direct identifiers from raw data before the Data is delivered to Jumpshot by Avast. Examples of direct identifiers include without limitation name, email, phone number, physical address, IP address, and national ID.” The point 3.1 also contains that Jumpshot grants to the charged company license to use “all Jumpshot know-how, technology and other intellectual property rights related to direct identification removal or data anonymization,” and this “by any means of use for the purposes of removal of direct identifiers from raw data”. Furthermore, the parties agreed on the procedure for situations where "any direct identifier contained in the Data” remains unremoved in the transferred data. In such a situation, Jumpshot is obliged to notify the charged company and to destroy the transferred data containing direct identifiers. Concurrently, it is worth mentioning the provision of parties reading that “If Jumpshot receives any direct identifiers that does not want, it will promptly notify Avast and Avast will promptly revise the Data feed”.
The annexed Exhibit A of the same document titled “Data Description” reveals that the charged company and Jumpshot make difference between “Existing Data” and “Future Data”, whereby “Existing Data” shall mean “all anonymized usage data provided to Jumpshot on the Effective Date (1 January 2019) that is collected by Avast through the following computer programs, mobile applications, services or features thereof”. Although the “Existing Data” are marked as “anonymized”, the Exhibit A provides in its point 3 for a procedure serving to assignment of a specific identification number to the data. Following this provision “As part of the Existing Data, Avast shall provide to Jumpshot its generic user identification number (“GUID”). Jumpshot shall procure that the GUID is replaced by another unique identifier devised and assigned to the relevant Data by Jumpshot (“JID”) before the Existing Data may be used in Jumpshot’s production environment and thereafter Jumpshot shall destroy each GUID once a JID has been created with respect to the same. Jumpshot is not allowed to use the GUID for any other purposes than assigning a proper JID to relevant Data and checking whether a proper JID was assigned to relevant Data.” Moreover, point 3 of Exhibit A lists measures the company Jumpshot shall observe in relation to GUID (i.e. it shall not include the GUID into the data sets Jumpshot uses for its analytic products and services, shall not provide any access to GUID to any third party, shall not disclose to any third party – neither to the charged company – any information how a GUID is replaced by a JID so that any reverse engineering of the original GUID from the corresponding JID is prevented, etc.).
For the sake of completeness, it shall be added that the “Future Data” are in point 2 of the Exhibit A defined as “(i) any data that is being collected by Avast as of the Effective Date but is not included within the definition of the Existing Data and (ii) any new data or new sets of data Avast tarts collecting after the Effective Date (“Future Data”), but in each case excluding any directly identifiable information and/or Personal Data (as defined by applicable legislation) that cannot be licensed under applicable law.
It is necessary to note in this relation that the charged company transferred to Jumpshot personal data in sense of Article 4(1) of the Regulation (EU) 2016/679. It can be concluded from the quoted documents in which data falling under the definition of both “Existing Data” and “Future Data” were “all” or “any” data collected by the charged company (these personal data included also the data subject’s internet search history). The fact that the charged company collected personal data is evidenced above. This conclusion that the charged company transferred personal data to Jumpshot is supported also by the above-quoted provision agreed between the charged company and the company Jumpshot contained in point 1.7 of Exhibit B of the Data Order Form which is called “Restated Data License Agreement” where both parties acknowledged that the transferred data “may include personal data, as defined by applicable legislation (“Personal Data”). To the extent Data contains Personal Data, the parties has analyzed the nature of the use of Data under the Agreement and have determined that JUmpshot has discretion to determine its uses of the Data in compliance with this Agreement and thus is a Data Controller.” (it is true albeit the definition related to the description of “Existing Data”).
Even if the charged company claimed during the administrative proceedings (for instance in the final statement, page 3, point 5(ii)) or in the supplementary statement (page 3 point 6) that it did anonymize personal data, it apparently understands anonymization as only a removal of direct identifiers (name, email address, phone number, physical address, IP address, and national identification number) and a potential substitution thereof by a generic identification number or by other (randomly generated) identifier. However, the personal data collected by the charged company included, as mentioned above, the browser history, which is a unique file of specific users’ activities in the online environment. It shall be reiterated that the identification of a particular person can be performed even without a specific identifier (which the charged company marks as “direct identifier”) by a sole reference to one or more specific elements of physical, physiological, genetic, psychic, economic, cultural, or societal identity of this physical person. The societal or social identity represents a set of the individual’s behaviour, in other words, the history of searches performed by this individual. Thus the unique file of information about the physical person’s behaviour in the online environment defines its social identity in this environment which undoubtedly can lead to the detection of the personal identity of the given user. Removal of the direct identifiers is then irrelevant in this case as in the given matter all online search history of data subjects represents, from the given reasons, personal data in sense of the Regulation(EU) 2016/679.
The charged company’s claims that it transferred to Jumpshot anonymized data, or data after separation of “direct identifiers” respectively (see for example the final statement, point 5(iv)), can be complemented by stating that the charged company itself says that "in case of statistical trend analysis, Avast has put in place internal security measures to separate job roles so that, for example, the employee in charge of statistical trend analysis does not have access to direct identifiers processed for other purposes. In particular, these measures ensure that personal data are not disclosed to more persons than is strictly necessary.” (quotation from the final statement, ref. UOOU-1025/20-72, page 3 point 5(v) and the supplementary statement (page 4 point 7(f)). It is obvious from the above-mentioned that the charged company alone was conscious of the fact that it handled personal data whereas it can at best be assumed that these data (after separation of direct identifiers) were pseudonymized.
It should be added that the charged company and Jumpshot are interlinked companies, i.e. part of a group, as it is apparent, inter alia, from the Relationship Report of 31 March 2021 (Available e.g. in the Collection of documents here https://or.justice.cz/ias/ui/vypis-sl-detail?dokument=67760122&subjektId=719557&spis=294284). In the given case, for that reason alone, it is not possible to speak of anonymous data, where at least one part of the group disposes of data on the basis of which data subjects are identifiable (in this case, it is the charged company which holds such data) in the form of direct identifiers. In other words, it is not possible to speak of anonymous data if, in the overall context of the processing (i.e. also the transfer), certain sets of personal data are separated, but the data retain a characteristic (content, value) that their later interconnection, albeit partial, enables reversal identification of data subjects. Neither can it be spoken of anonymous data if both companies undertook to proceed in a way not permitting such “reverse engineering” between them. It ensues from this consideration that the data transmitted by the charged company to Jumpshot were personal data within the meaning of Article 4(1) of the Regulation (EU) 2016/679.
In other words, however the charged company could transfer to the company Jumpshot personal data without direct identifiers, it alone continued to dispose of them. A sole comparison of the browser history not containing (potentially) direct identifiers available to Jumpshot with the identical history that was at hand, together with the direct identifiers, of the charged company made it possible to reversely identify the data subjects without further means (only by using the internet browser history). The above-mentioned however does not change anything on the conclusion that the data subject’s browser history as such represents personal data in sense of the Regulation (EU) 2016/679.
The Office reiterates and sums up in this respect that on the basis of the above facts it takes for proven that the charged company collected personal data (in sense of the Regulation (EU) 2016/679) of users of the AVAST antivirus program, namely and foremostly the history of data subjects’ online searches (browser history – i.e. data about their online behaviour) and transferred these personal data to the company Jumpshot for the purpose of statistical trend analysis (as defined by the charged company) whereas it is obvious, from the above-mentioned, that it is indifferent, if it was done or not without direct identifiers.
For the sake of completeness and to have a broader picture, the Office adds that in the articles of the journals PCMag of 7 January 2020 and Motherboard of the same day it is written that Jumpshot sold onwards the data transferred by the charged company, specifically the described browser history. Especially mentioned was the company Omnicom Media Group. The risk linked to such a transaction consists, among others, in the possibility of matching the databases kept by the companies that bought data from Jumpshot with just these data. Then, the companies (that bought the data) could identify the data subjects as well. Typically, it could be an e-shop which would be able to match its sales data with the purchased browser history that would contain such a shopping, whereby the data subject could be easily identified (or, respectively, the data subject would become identifiable for such e-shop). The e-shop would then obtain, in relation at least to the identifiable person, picture of the person’s entire online activity including, for example, purchases at other vendors.
VII. Conclusions on the breach of Article 6(1) of the Regulation (EU) 2016/679
Pertaining to statement I. of this decision, the administrative authority declares that one of the core principles of personal data protection is laid down in Article 5(1)(a) of the Regulation (EU) 2016/679, according to which personal data shall be in relation to data subject processed fairly and lawfully and in a transparent manner. Especially this principle of lawfulness is tied into Article 6(1) of the Regulation (EU) 2016/679, according to which processing is lawful only if and to the extent that at least one of the conditions set out under the letters (a) thru (f) of this paragraph is met.
The charged company, as mentioned above, collected personal data about identifiable data subjects in the scope described, for instance, in the balance tests annexed to its statement of 5 August 2019, ref. UOOU-01733/19-7, or in the charged company’s statement of 1 August 2018, ref. UOOU-07166/18-12. This scope encompassed particularly the data subject’s online search history (i.e. the history of URL searched from the device”), the Device ID, Installation ID (GUID), and data about the hardware or software of the system on which the antivirus program was installed, or “information about the applications running on the device, information related to the files and annexes stored in that device” (both quotations come from the mentioned charged company’s statement of 1 August 2018). The company continued to process subsets of these personal data for additional purposes, such as, among others, the transfer of these data to the company Jumpshot as the new controller in the sense of Article 4(7) of the Regulation (EU) 2016/679, on the basis of a “Data Licence Agreement“ concluded between them on 30 August 2014, and later on the basis of the “Data Order Form", until the company Jumpshot’s closure in January 2020 (attached to the charged company’s statement of 14 April 2020, ref. UOOU-1025/20-11).
In response to this point the charged company declared that “the purpose of this processing was to create statistical data which help companies manage their strategies and, with this purpose in mind, to provide them with reliable data. The leading international brands and the digital experts found the independent trend analysis to be a unique value because large companies such as Amazon and Google do not provide statistical data from domains under their control and effectively impede companies’ access to this information so important for doing business. This source of data is key for maintaining competitiveness in the online business sector” (Quotation from the charged company’s statement of 14 April 2020, ref. UOOU-01025/20-11). Pursuant to the charged company, “only essentially and minimised data subset was used” for the statistical trend analysis (Quotation from the charged company’s statement of 14 April 2020, ref. UOOU-01025/20-11).
The charged company further declared that in processing of personal data of users of the paid version of the antivirus program, for the purpose of the statistical trend analysis, it originally relied on the legal grounds of legitimate interest (whereby, pursuant to the charged company, the legality of processing for this purpose should have been assessed and positively evaluated via a balance test). As for the users of the free antivirus program version, the charged company is convinced that their data were anonymized and therefore are not subject to the relevant legal regulation. Moreover, following the statement of the charged company, users of both paid and free versions were informed about the processing in question for statistical trend analysis and had the opportunity to reject them, which means users were provided a general and unconditional right to opt out. If a user raised an objection by clicking on the so-called opt-out button, no further data was processed for these purposes anymore. This option was available to users of both paid and free antivirus program versions.
The charged company’s statement shows that in July 2019, it introduced a direct consent (opt-in) with the processing of user’s personal data for the purpose of statistical trend analysis and this in concurrence with the WP29 Opinion 06/2014 on the notion of legitimate interests, whereby in its opinion ensured a higher level of personal data protection than required by the applicable legal regulation.
The administrative authority only reiterates that to get any data anonymized, they must be stripped of a sufficient number of elements so as the data subject could not be identified either by the controller itself or by a third party (and that through the use of the means in case of which it can reasonably be presumed they can be used by the controller or by a third party). The removal of directly identifying elements as such is not enough to hinder the identification of a data subject. As long as data subjects are identifiable, the data protection regulations apply whereas as mentioned in chapter VII above, the data subject were identifiable in this particular case, or, respectively, the transferred data were personal data in sense of the Regulation (EU) 2016/679.
In assessing the legal grounds for the transfer of personal data to a new controller (the company Jumpshot) pursuant to Article 4(7) of the Regulation (EU) 2016/679 for statistical trend analysis of personal data of antivirus program users and its browser extensions, during a period from at least April 2019 to July 2019 (observations as to the delimitation of this period see below), the administrative authority firstly dealt with the question whether it would be possible that the given processing be placed under Article 6(1)(f) of the Regulation (EU) 2016/679 so that it is the situation where the personal data processing is necessary for the purposes of legitimate interests of the relevant controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
It is evident from the Recital 47 of the Regulation (EU) 2016/679 that the existence of a legitimate interest must in any case be carefully evaluated, including the assessment of whether the data subject can at the moment and in the context of the personal data collection reasonably expect that the processing for these purposes might take place. The data subject’s interests and fundamental rights could prevail over the controller’s interests, especially if the data processing takes places under conditions where the data subject does not reasonably expect their further processing (for the above-mentioned purpose). When applying this legal ground, the controller must always balance his legitimate interests with the legitimate interests and fundamental rights and freedoms of the data subject. This principle of reasoned expectation has been totally denied in this particular case.
The charged company rests (pursuant to Article 4(7) of the Regulation (EU) 2016/679) the legality of the transfer to a new controller (the company Jumpshot) of personal data of users of the antivirus program and the browser extensions for statistical trend analysis on a balance test of the application of third parties’ analytical tools conducted in April 2019. According to this test, the purpose of the data transfer to third parties is the analysis of user behaviour and trend analysis, whereby this shall encompass merely anonymous data. The balance test therefore was not focused in more detail on the issue of trend analysis where Point C(10) itself states that this topic had been included into the balance test for the sake of completeness only. Point C(2) of the balance test also shows that the conducted analyses shall be essential to ensure proper functioning of the product and the creation of an intuitive and user-friendly environment of the antivirus program. It is evident that the purpose defined in this way does not pursued by the statistical trend analysis and does not bring users any declared added value. Consequently, the administrative authority has not found that the charged company sufficiently assessed the existence of the legitimate interest, neither of itself nor of third parties, in processing of personal data for statistical trend analysis and that it proved its necessity. Concurrently, with respect to the charged company’s subject of activity being the antivirus protection of users including the protection of their privacy, the probability is decreased that data subjects could reasonably expect that their personal data be further processed for the purpose of statistical trend analysis. The Office adds in this regard that the charged company did not evidenced that it had a legal title for the processing of personal data in question (i.e. the transfer of personal data to Jumpshot for statistical trend analysis) within the meaning of Article 6(1)(f) of the Regulation (EU) 2016/679.
The charged company, in its statement on the proceedings subject, further declares that users were informed about the processing for statistical trend analysis purposes (whereas this operation includes the transfer of personal data to Jumpshot) during the activation process of the trend analysis and in its data protection policy as well. Whilst during the period from April 2019 to July 2019 they had the possibility to reject or not allow by clicking on the opt-out button by means of the privacy settings. Subsequently, in July 2019 with the aim to expand user choices and control over data processing, the charged company began switching to the opt-in system of obtaining consent without the nature of the processing having changed. Users of the paid and free antivirus program versions could then grant their consent until the end of January 2020, meaning till the closure of the company Jumpshot.
The administrative authority states that the availability of the opt-out (that evidently was used over the period of April 2019 to July 2019 at least; more information on this matter see below) does not constitute user consent in the sense of the legal grounds for processing laid down Article 6(1)(a) of the Regulation (EU) 2016/679, since such consent must be given through an unambiguous confirmation, which is an expression of a free, specific, informed and unambiguous permission by a data subject. The permission is understood as actively given, ”positive” demonstration of will leading to “granting a consent”, and not a sole “non-usage of the possibility to refuse”. The described and applied opt-out principle is consequently not a free consent in sense of the Regulation (EU) 2016/679, as the element of “free” presumes a real active choice of a given option (i.e. expression of one’s permission) and, in the opposite case, an act of the user’s will, consisting in not choosing the option “function switch-off”, cannot be regarded as valid consent in sense of the Regulation (EU) 2016/679 (as it also ensues from the Guidelines 5/2020 of the European Data Protection Board). It can be added that if the processing has several purposes, the consent should be granted for all of them. Data subjects must have the freedom to choose which purpose they accept and they should not be forced to give their consent for the whole set of purposes. If the controller merged several processing purposes without trying to obtain individual consent for each of them separately, the consent is not valid then. A consent must also be granted through active action or declaration. The use of pre-ticked boxes, silence or inactivity on the data subject’s side, not even the continued use of the service, can be considered as active demonstration of choice. Neither a consent can be obtained through a single step such as consent with a contract or acceptance of the general terms and conditions of the service. Therefore, the company’s claim mentioned above, that users (data subjects) were sufficiently informed of the existence of the right to withdraw their consent, is significantly misleading, since there cannot be discussion, by definition, of any consent in the light of the above mentioned. Due to the factual lack of possibility of choice, the Office also finds, in this context, that the charged company has not demonstrated to have a legal ground for the processing of personal data in question (that is to say, the transfer of personal data to Jumpshot for the purpose of statistical trend analysis) within the meaning of Article 6(1)(a) of the Regulation (EU) 2016/679, since the consent to the processing of personal data that applied at least between April 2019 and July 2019 was not free, and therefore not, valid for the reasons set out above.
In its declaration of 14 April 2020, the charged company stated that, as of July 2019, it had switched to the consent to the processing of personal data by the opt-in method, as evidenced by the “screenshot of the activation process for the analysis of trends from July 2019” (without any further determination of a particular date).
For sake of completeness, it can be added that in the charged company’s data protection policy, in the wording effective from at least April 2019 to July 2019 (that formed an annex to the charged company’s statement of 14 April 2020), as stated on the above mentioned activation screen, chapter “A. How we use personal data“, states that the company collects personal data of its users for the following purposes: so it could process the purchasing of products and services, offer users a product or service, or for reasons of legitimate interest. If the use of personal data of users is based on legitimate interests and is compatible with the service provision, users have the right to raise an objection. The following chapter “B. Choice and portal“ informs users of the possibility to choose the way in which their data will be used. Among the individual choices there is also the option “Analytical data of third parties“ which is further described as sharing data with third parties for analytical purposes, such as purchase optimization, messages about a system crash and analytical data on trends. Users are informed in a note that all users of the free version as well as paying customers may choose to turn off this function.
Therefore, on the basis of the above mentioned, the Office considers as proven that, at least over the period from April 2019 to July 2019, the charged company transferred personal data of users of the AVAST antivirus program and its browser extension to Jumpshot as to a new controller, in order to produce a statistical trend analysis, even though it was not supported by any legal grounds within the meaning of Article 6(1) of the Regulation (EU) 2016/679, whereby it breached that provision.
For the sake of completeness, the Office notes that the charged company repeatedly stressed in its statements that “the subsets of personal data that primarily were gathered for the purpose of service provision, are subsequently processed for compatible secondary purposes including , among others, the processing of personal data consisting in their anonymization and transfer of such anonymized data to Jumpshot for the statistical trend analysis until the company’s shutdown in January 2020.” It shall be added that the denomination of the trend analysis by “statistical” (frequently used by the charged company in its statements) does not make this purely commercial activity a “statistical purpose” (comparable by its substance and proceeding with, for instance, a scientific or historical research) which has on mind the Regulation (EU) 2016/679 in Article 6(4), or in the recitals 50 and 156 respectively.
Given the fact that the charged company obtains and processes personal data primarily for the purpose of service provision, thus it is a processing necessary for the performance of a contract to which the data subject is party, pursuant to Article 6(1)(b) of the Regulation (EU) 2016/679 (final statement, point 5(i)), no compatibility was found with the further usage of these data (if in a limited extent) consisting in the provision thereof for a payment (“Data Order Form, Exhibit B – “Restated Data License Agreement”) to a subject other than the charged company (if being a part of the corporation) for the purposes of a commercial trend analysis. Although the compatibility of processing purposes in sense of Article 6(4) of the Regulation (EU( 2016/679 not mean their identity, it is always necessary – when assessing this issue – to reflect the very sense of the Regulation (EU) 2016/679, which is the protection of personal data. It must be stressed in the first place that acceptance of a too extensive interpretation of Article 6(4) would open the door for an intentional circumvention of the basic principles of personal data processing – namely the purpose limitation principle and the lawfulness of processing in sense of Article5 and Article 6(1) of the Regulation (EU) 2016/679. With respect to the above-mentioned, it is then necessary to assess the legal grounds for the processing of personal data consisting in their transfer to the company Jumpshot in sense of Article 6(1) of the Regulation (EU) 2016/679.
VIII. Conclusions concerning the breach of information obligation
Pertaining to statement II. of this decision, the administrative authority states that pursuant to Article 13(1)(c) of the Regulation (EU) 2016/679, a controller is obliged, at the moment of the receipt of data subject’s personal data, to convey information the processing purposes for which personal data are intended, and the legal basis for processing.
As already stated above in the charged company’s data protection policy in the wording effective from at least April 2019 to July 2019 (details explaining the delimitation of the duration of the unlawful situation - see below), it is contained in chapter “A. How we use personal data“, that the company collects personal data of its users for the following purposes: as to be able to handle the purchase of a product or service, offer users a product or service, or for reasons of a legitimate interest. If the use of personal data is based on legitimate interests and is compatible with the service provision, users have the right to object.
The above-mentioned “screenshot of the activation process of trend analysis and privacy settings of April 2019” (which was used by the charged company until a non-specified day of July 2019) informs only that “The collected information help us to know new and interesting trends. These information can be shared with third parties outside Avast. However, before we do so, everything that could in any way identify you personally, will be removed.”
"Statistical data that were anonymized are clustered by geographical key and cannot therefore be used for the identification of persons and we also share them with third parties for the trend analysis purpose.” See chapter Objectives of our principles.
"Third-party analytical data – when we shared our data with a third party for analytical purposes, such as purchase optimisation, system shutdown messages and analytical data on trends. Note: all users of the free version as well as the paying customers can opt for switch-off of this feature.” See chapter Choice and portal.
“The primary processing of service data will be carried out for performance of the contract on provision of the respective product or service. The secondary processing of service data will be compatible with our legitimate interests, in order to provide you with advantages of research, analysis, and development across products and delivery of messages across products. If we need to process your service data for a purpose requiring consent we will inform you thereof. We will apply the general rules for granting and withdrawing a consent.” See chapter Service data.
“The Clickstream data are pseudonymized and anonymized and we reuse them for direct marketing among products, development among products and third-party trend analysis.” See chapter Avast products and services and AVG AntiVirus.”
The mentioned information do not lead to any conclusion that the charged company processed personal data (namely in the form of history of online searches by data subjects) collected through its products also for the purpose of their transfer to the company Jumpshot for the “statistical trend analysis”. This processing purpose is not mentioned by the charged company in the relevant documents. Although the charged company does inform generally that it can share the collected data with third parties, it principally presents these data as anonymous. This “fact” has been overturned and the Office considers as proven that the charged company transferred personal data to Jumpshot. Consequently, the Office states that the charged company failed to inform data subjects about the purpose of the personal data processing consisting in the transfer of those data to Jumpshot for “statistical trend analysis” as well as about the underlying legal basis.
It can be added that the charged company did not inform, even in a general manner, about the fact that it transfers to other controllers personal data collected via its products (including a complete history of internet searches by data subjects) for statistical trend analysis, whereas the information mentioned in the section “third-party analytical data” neither meets in no way the information obligation laid down in Article 13(1)(c) of the Regulation (EU) 2016/679, also because the wording of this information does not clarify what data are subjected (and if it is personal data at all), as the charged company marked them only as “our”.
Therefore, the administrative authority considers as proven that the charged company breached also the obligation stemming from Article 13(1)(c) of the Regulation (EU) 2016/679, since it has not met the information obligation towards the data subjects (its users), when at the time of receipt of data subjects’ personal data, it failed to inform them, in relation to the transfer of the personal data to the company Jumpshot, about the processing purposes and about the legal grounds for the processing, and consequently it has committed an offence as per Article 62(1)(c) of the Act No. 110/2019 Coll.
As for the duration of the unlawful situation, the Office note that it is delimited identically as in the case presented in the statement I, and this for the same reasons, whereas the consent with the use of personal data applied by the charged company since July 2019 contained a new informative text mentioning transfer of data about the visited websites to external partners.
IX. Objection concerning inadequate proceedings length and objection concerning non-disclosure of documents from the international consultation
The charged company in its statement of 23 February 2022 referred to the decision of the Norwegian Privacy Board (Personvernnemnda), in which this authority “decided to completely abolish the imposed fine due to an inadequate length of the proceedings lasting for almost three years. Personvernemnda also pronounced itself in the sense that if it would not have completely abolish the fine, it would recommend to the supervisory authority to reduce it with the justification that the assessment of legitimate interest of a company pursuant to Article 6(1)(f) of the Regulation (EU) 2016/679 does not suffer of such shortcomings to be qualified as serious breach. The fact that the controller conducts an assessment of the suitable legal basis other than the data protection supervisory authorities cannot necessarily constitute a serious breach.”
As to this objection, it is worth mentioning that the comparison with the Norwegian Privacy Board’s decision suggested by the charged company is completely out of place regarding the significance and extent of the charged company’s behaviour being the subject of this proceedings. Namely, it is necessary to stress that the subject matter of the Norwegian Privacy Board’s decision was, following the publicly available information, only use of a surveillance system in a restaurant. Moreover, this proceeding does not deal with “only” an insufficiency of the legitimate interest assessment, but (primarily) with the lack of any legal title in sense of Article 6 of the Regulation (EU) 2016/679. The described comparison is thus completely irrelevant as to the subject matter and the complexity, which due to the nature of this matter the proceedings duration derives from.
As for the objection concerning the non-disclosure of the documents from the Office’s communication with other supervisory authorities pursuant to Article 60 of the Regulation (EU) 2016/679, the Office refers in full extent to the decision on remonstrance ref. UOOU-01025/20-82 of 27 August 2021 that related to this matter.
X. Merits of offence and penalty determination
According to Article 5 of the Act No. 250/2016 Coll., an offence is a harmful unlawful act, which is expressly identified in the law as an offence and which displays characteristics set in the law, and concurrently is not a criminal offence. Pursuant to Section 62(1)(a) of the Act No. 110/2019 Coll., the controller or processor commits an offence by infringing one of the basic principles for the processing of personal data pursuant to Articles 5 to 7 or 9 of the Regulation (EU) 2016/679. Pursuant to Section 62(1)(c) of the Act No. 110/2019 Coll., a controller or processor commits an offence by infringing one of the rights of data subjects under Articles 12 to 22 of the Regulation (EU) 2016/679 or Title II.
As per Article 41(1) of the Act No. 250/2016 Coll., for two or more offences committed by one and the same offender and handled within a single proceeding, the administrative penalty shall be set, according to this provision, in relation to the one of the offences which is punishable most severely. If the upper limits of penalties are the same, the administrative penalty shall be imposed as per the provision relating to the most serious offence. Therefore, the administrative authority had to assess which of the offences committed by the charged company is the more severe one. The authority came to conclusion that it is the offence as per Article 62(1)(b) of the Act No. 110/2019 Coll., which the charged company committed by breaching the Article 6(1) of the Regulation (EU) 2016/679, since it pertains to the breach of the core data processing principle, which must be understood to be the most important principle defining how a controller may handle personal data. A breach of a basic principle shall, in accordance with Article 83(5) of the Regulation (EU) 2016/679, be subject to administrative fines up to EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
As per Article 83(1) of the Regulation (EU) 2016/679, each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of offences of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Pursuant to Article 83(2) of the Regulation (EU) 2016/679, administrative fines shall be imposed, depending on the circumstances of each individual case, except for the measures referred to in points (a) to (h) and (j) of Article 58(2). In deciding whether to impose an administrative fine and to decide on the amount of the administrative fine in individual cases, due account shall be taken of the following circumstances:
a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentional or negligent character of the infringement;
c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
e) any relevant previous infringements by the controller or processor;
f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects of the infringements;
g) the categories of personal data affected by the infringement;
h) the manner in which the infringement became aware to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter compliance with those measures;
j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
It is true accordingly to Article 83(3) of the Regulation (EU) 2016/679 that if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement. The interpretation of this provision was confirmed by the binding decision of the European Data Protection Board No. 1/2021 regarding WhatsApp by excluding the restrictive interpretative alternative leading to imposition of fine only for the gravest offence without reflection on the other linked offences.
In determining the type and size of the administrative penalty, the Office took into account the circumstances mentioned in Article 83(2) of the Regulation (EU) 2016/679 in a manner as follows.
First, the Office assessed the nature, gravity and duration of the breach of obligations pursuant to Articles 6(1) and 13(1)(c) of the Regulation (EU) 2016/679, taking into account the nature, scope and purpose of the processing concerned, as well as the number of data subjects affected and the level of damage caused to them (Article 83(2)(a)) of the Regulation (EU) 2016/679).
As regards the nature of the breach of obligation under Article 6(1) of the Regulation (EU) 2016/679, the Office finds that it involves a breach of the fundamental principle for the personal data processing, i.e. the principle of legality as set out in Article 6(1) of Regulation (EU) 2016/679, and must therefore be regarded as a breach of the legally provided obligation with a very high degree of gravity in terms of its nature. As regards the nature of the offence under Article 13(1)(c) of the Regulation (EU) 2016/679, the Office notes that also in this respect the offence is of a higher level of severity, since the breach of the charged company’s obligation to provide information significantly affects the general possibility of exercising the data subjects’ rights laid down in the Regulation (EU) 2016/679, since only duly informed data subjects can exercise their rights in their entirety. The Office considered that the principle of specialty doesn’t apply to the second breach in relation to the first one.
As to the extent of the processing at stake, it is necessary to emphasise its international, virtually global nature and the fact that, concurrently, it was of a sophisticated and technologically advanced nature; in the given dimensions therefore, such processing entails more difficulties for data subjects to protect their legal sphere.
The processing was an integral part of the charged company’s professional activity, not an accidental action, or an internal organisational matter (e.g. business administration). In this context, the Office also took into account the purpose of the unlawful data processing whereby the charged company supported the performance of its business activity and thus acted, by definition, in order to make profit.
The offence has affected a large number of data subjects. The 2019 annual report of the charged company (available in the Collection of documents at https://or.justice.cz/ias/ui/vypis-sl-detail?dokument=63111648&subjektId=719557&spis=294284) shows that it provides services to more than 435 million users worldwide. It can therefore be considered as proven that the number of data subjects affected or potentially affected is enormous, corresponding with, by order of magnitude, the highest market shares (active users) in the given segment. This is a factor particularly relevant to the assessment of the gravity of the conduct in question.
In general, it is necessary to examine and take into account the degree of harm to the subjective rights of data subjects, and potentially also the gravity of the damage caused. However, in this case, that criterion gives way to the previous criterion (number of the users affected), since, in case of such a large-scale processing, the specific interference with the rights of individuals is relativized, and in particular, those individual impacts cannot be examined case by case.
As regards the duration of the breach of Articles 6(1) and 13(1)(c) of the Regulation (EU) 2016/679, as mentioned above, it lasted from a non-specified day of April 2019 to a non-specified day of July 2019, this means for two whole calendar months at least. However, the length of that period cannot be regarded as a mitigating circumstance in the context of the amount of the personal data transmitted by users, since even a single day of collection of personal data from an average user of a computer with the AVAST antivirus program or its browser extension installed, constituted a complex set of data about the data subject’s behaviour in the online environment. It was only possible to prove the duration to that extent, but it can be reflected that the processing did not start at the beginning of the proven period precisely, but entered as already “running” into the established period. Thus, for the purpose of determining the gravity of the facts, account is taken only of the absence of the initial time-limitation of the subjected processing, but not of the actual period preceding the established (decisive) period.
Furthermore, the Office considered the criterion as to the form of the breach of an obligation under Article 6(1) and Article 13(1)(c) of the Regulation (EU) 2016/679 by the charged company (Article 83(2)(b) of the Regulation (EU) 2016/679). In that regard, it should be stressed that such a criterion applies only to the assessment of the nature and potential amount of the administrative fine. Thus, the fact of being guilty in case of legal persons is not the condition for offence liability, which in case of legal persons is based on the so-called objective liability or accountability. According to the Office, it is clear, by definition, that the charged company knew what it was doing when transferring personal data to third parties as a part of its business. Therefore, it cannot be but concluded that both cases of breach of obligations under the Regulation (EU) 2016/679 were committed intentionally, at least in the form of indirect intent, where the charged company knew that it might infringe or undermine a legally protected interest and accepted the fact of a potential violation thereof or threat thereto.
As regards the degree of the controller’s responsibility, mindful of the technical and organisational measures put in place by the controller pursuant to Articles 25 and 32 (Article 83(2)(d) of the Regulation (EU) 2016/679), the Office states that this viewpoint cannot be applied in the present case, since the subject matter of the proceedings does not lie in the circumstances relating to the technical and organisational measures in place.
When assessing all the relevant previous offences by the controller (Article 83(2)(e) of the Regulation (EU) 2016/679), the Office concluded that it did not find existence of such relevant offences. However, this finding cannot be regarded as a mitigating circumstance.
Reflecting the category of personal data affected by the breach (Article 83(2)(g) of the Regulation (EU) 2016/679), the Office finds that it cannot be considered beyond reasonable doubt as proven that in this particular case the processing involved special category of data in sense of Article 9(1) of the Regulation (EU) 2016/679 (whatever the sensitiveness of information about the online behaviour and preferences of users were at stake). This fact would have not been regarded as aggravating. However, for sake of completeness, the Office adds that, even in the present case, this finding is not a mitigating circumstance.
Furthermore, the Office took into account the fact that the alleged breach of the Regulation (EU) 2016/679 by the charged company during the processing of personal data in question was brought to the Office’s attention through the media, therefore there was not any mitigating circumstance to be reflected in this context.
The criterion referred to in Article 83(2)(j) of the Regulation (EU) 2016/679 was not relevant in this particular case, as the charged company did not claim to comply with any approved code pursuant to Article 40 or a certificate referred to in Article 42 of the Regulation (EU) 2016/679 and was therefore not evaluated by the Office.
As regards the criterion laid down in Article 83(2)(k) of the Regulation (EU) 2016/679, that is to say, taking into account of any other aggravating or mitigating factor applicable to the case, the Office states that it first took into account the fact that the charged company breached, in relation to the same subject matter of the processing of personal data, one other provision of the Regulation (EU) 2016/679, specifically the Article 13(1)(c), which was assessed to its detriment. As a fundamental aggravating circumstance, the Office took into account the fact that the charged company, profiling itself as a professional in the field of information and privacy protection, where users of its products assume an above-average level of trust and a high ethical level of conduct, while reasonably expecting such a company would protect their personal data from attackers, it itself made personal data of users of the AVAST antivirus program and its browser extension an object of its business relations, that is to say, data of their clients who reasonably trusted the charged company (and used their products for that purpose) precisely in order to achieve the maximum protection of their personal data. It is also necessary to assess as an aggravating circumstance the highly invasive nature of the conduct of the charged company in relation to the privacy of users.
As to the actual determination of the specific amount of the administrative fine, it should be noted at the outset that a number of criteria provided to this end by the Regulation (EU) 2016/679 (as described above) was considered, but the result of the evaluation of those criteria cannot be expressed by any precise mathematical algorithm (judgment of the European Court of Justice (Fifth Chamber) of 16 November 2000 in case P Mo och Domsjö AB v. Commission of the European Communities, C-283/98). With regard to the aforementioned, the Office set the amount of the administrative fine on the basis of those considerations.
It is apparent from the last publicly accessible closing financial statement of the charged company for the year 2020, filed in the Collection of documents on 10 September 2021 (available at https://or.justice.cz/ias/ui/vypis-sl-detail?dokument=67760122&subjektId=719557&spis=294284), that it reached a turnover of CZK 17 ,773, 306, 000 (ca. EUR 691, 568, 326) in the reference year. Pursuant to Article 83(5)(a) of the Regulation (EU) 2016/679, breach of basic principles for processing referred to in Article 6 shall be subject to an administrative fine of up to EUR 20, 000, 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. It is clear from the mentioned turnover that the amount of 4 % of total turnover (i.e. CZK 710, 932, 240 = ca. EUR 27, 662, 733) is higher than EUR 20, 000, 000 in the present case. The Office therefore considered to impose an administrative fine of up to CZK 710, 932, 240 (ca. EUR 27, 662, 733).
Subsequently, the Office set the initial amount for the calculation of the administrative fine which would be considered adequate in the absence of any aggravating or mitigating circumstances. As such, the Office considered circumstances increasing or reducing the social harmfulness of the offence from the viewpoint of the Regulation (EU) 2016/679. In the context of this deliberation, the Office firstly considered certain typical characteristics of harmfulness (on the theoretic scale of seriousness) of the conduct, since the overall seriousness of the offence affects the anchoring of the Office’s reasoning within a certain band represented by the margin between the minimum and maximum possible fine. In the present case, as mentioned above, the breach of Article 6(1) of the Regulation (EU) 2016/679 was considered more serious. In order to determine the seriousness of that offence, it must be reiterated that the breach of that fundamental principle of legality is one of the most serious kinds of unlawful conduct, since the absence of a legal basis makes the overall processing of personal data practically impossible. Additionally, there is the breach of Article 13 (1)(c) of the Regulation (EU) 2016/679. The above-mentioned elements further increase the severity: the international, even global nature of the processing, the enormous number of affected and potentially affected subjects, the consistent (entrepreneurial) mode of activity within the framework of the core professional focus of the charged company.
With regard to the very high level of severity of the detected conduct, the Office concluded that, in the event of breach of lawfulness of the processing with regard to the other offence specified, the amount corresponding to 30 % of the maximum possible amount (which the Office rounded down to the nearest whole hundreds of thousands) appears to be an adequate initial amount for the calculation of the administrative fine, which in this case amounts to CZK 213, 000, 000 (ca. EUR 8, 287, 937).
For sake of completeness, it should also be noted that the statement of the Office’s reasoning on the amount of a potential administrative fine as a percentage (percentage rates) does not have the character of a mathematical algorithm resulting in an absolute amount, but expresses the correlation between the various aspects of the case assessed by the Office and their structure in the determination of the amount of the fine.
Bearing in mind the above, the Office concludes that setting the initial amount for calculation of the administrative fine at CZK 213, 000, 000 (ca. EUR 8, 287, 937) and adding the increase of the initial amount by 65 %, the amount of the administrative fine for both offences was set at CZK 351, 000, 000 (ca EUR 13, 657, 587), that is to say, corresponding to the half of the highest administrative fine applicable. In addition, it should also be said that such an amount of the fine will also have an appropriate dissuasive effect on the charged company preventing it from any future breaches other legal obligations laid down in the Regulation (EU) 2016/679. Consequently, the Office had no reason to further increase this particular amount in order to achieve those individual effects. However, it should be emphasized that a lower level of amount would have to be comparatively measured in more detail with the individual preventive criteria (and corrected in this regard).
For sake of completeness, it shall be added that, when setting the amount of the fine, the Office also considered, in addition to the above, that the sanction imposed should not have been devastating for the charged company (disproportionate burden), bearing in mind the charged-company-related information recorded in the commercial register and in the Collection of documents. As mentioned above, it is apparent from the last publicly accessible financial statement of the charged company for the year 2020, deposited in the Collection of documents on 10 September 2021 (available at https://or.justice.cz/ias/ui/vypis-sl-detail?dokument=67760122&subjektId=719557&spis=294284), that they achieved a turnover of CZK 17,773,306,000 (ca. EUR 691,568,326) in that year and a profit of CZK 5,603,232,000 (ca. EUR 218 024 591) before taxes. In the light of this fact, the Office concluded that the amount of the fine fixed by that decision was not of devastating nature (disproportionate nature) for the charged company. In the light of the foregoing, it has been decided as set out in the statement III. of this decision.
XI. Decision on proceedings costs
When deciding on the obligation to cover the costs of the proceedings as per Article 95(1) of the Act No. 250/2016 Coll., which mandates the administrative authority to impose on the guilty party the proceedings’ costs in the form of a lump sum, and stemming from Article 6(1) of the Decree No. 520/2005 Coll., on expenses and lost income, by which the administrative authority reimburses other persons, and on the amount of the lump sum of the proceedings’ costs according to which the lump sum amounts to 1, 000 CZK.
Instruction: In accordance with Article 152(1) of the Administrative Code this decision of the Office for Personal Data Protection can be appealed within 15 days as of the receipt of this decision to the President of the Office for Personal Data Protection.
The decision is considered as delivered on the day of receipt of this document’s copy, however no later than within ten days after having been deposited at the post office. In case of delivery to a data box, the day of receipt is considered to be the moment of logging in by an authorized person, but not later than within ten days as of the delivery of the decision to the data box.
Prague, 14 March 2022
Head of Supervision Department
- ↑Czech National Bank exchange ratio of 27 October 2021 (1 EUR = CZK 25,700)
Le texte correspond au texte original. Des modifications visuelles ont pu toutefois être apportées pour améliorer la lecture du document.